Insyde's Security Pledge

Recent Security Advisories

INSYDE-SA-2023038

Product

CVSS Score

Original Date

Last Revised

InsydeH2O

5.9

2023-08-08

Summary

FDM TOCTOU access after measurement allows redirected code execution.

Vulnerability Details

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N

CVE-2022-24351

Using SPI injection, it is possible to modify the FDM contents after it has been measured. This TOCTOU attack could be used to alter data and code used by the remainder of the boot process.

Solution Information

Kernel 5.2: Version 05.27.29
Kernel 5.3: Version 05.36.29
Kernel 5.4: Version 05.44.13
Kernel 5.5: Version 05.52.13

Acknowledgements

Revision History

Revision #

Date

Description

2023-08-08

Initial Release

< Back to Security Pledge